Multiple RCE and Auth Bypass Flaws in Cisco Catalyst SD-WAN Manager
A cluster of severe vulnerabilities in its Catalyst SD-WAN Manager (formerly vManage) enables remote code execution (RCE), privilege escalation, authentication bypass, information disclosure, and arbitrary file overwrites, posing high risks to enterprise networks.
Multiple RCE and Auth Bypass Flaws
Published on February 25, 2026, under Advisory ID cisco-sa-sdwan-authbp-qwCX8D4v (Version 1.0), these flaws affect all configurations of Cisco Catalyst SD-WAN Manager before the specified fixed releases, with no workarounds available.
The most critical issue, CVE-2026-20129, carries a CVSS 3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A: H), stemming from improper API authentication that lets unauthenticated remote attackers impersonate netadmin users and execute arbitrary commands. Releases 20.18 and later are immune to CVE-2026-20129 and CVE-2026-20128.
Complementing this are CVE-2026-20126 (CVSS 7.8, High), a local privilege escalation via flawed REST API authentication allowing low-privileged users to achieve root access (CWE-287); CVE-2026-20133 (CVSS 7.5, High)
An unauthenticated info leak due to lax file system controls (CWE-200); CVE-2026-20122 (CVSS 7.1, High), enabling authenticated remote file overwrites with read-only creds, potentially granting vmanage privileges (CWE-257); and CVE-2026-20128 (CVSS 5.5, Medium), exposing DCA credentials on the filesystem for lateral movement.
These independent flaws (Cisco Bug IDs: CSCws33583–CSCws33587) chain together easily to enable full compromise without prerequisites.
For CVE-2026-20129, attackers craft API requests that bypass netadmin checks, injecting commands network-wide; exploitation requires only network reachability, with no user interaction.
CVE-2026-20126 exploits a weak REST API authentication flaw, allowing a local low-priv user to send tailored requests to spawn root shells on a Linux-based OS. Info disclosures in CVE-2026-20133 and -20128 leak filesystem data or DCA passwords via API/filesystem access, aiding persistence (CWE-200, CWE-287).
The file overwrite in CVE-2026-20122 abuses API upload flaws, allowing read-only users to replace critical files, escalate to vmanage rights, and enable RCE indirectly.
CVSS vectors highlight remote unauthenticated access for most, with high impact on confidentiality, integrity, and availability; no evidence of in-the-wild exploits yet for this cluster, unlike related SD-WAN flaws like CVE-2026-20127.
| CVE ID | CVSS Score | Vector (CVSS:3.1) | Type/Impact | Bug ID(s) |
|---|---|---|---|---|
| CVE-2026-20129 | 9.8 (Critical) | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | Auth Bypass (netadmin RCE) | CSCws33587 |
| CVE-2026-20126 | 7.8 (High) | AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H | Privilege Escalation (to root) | CSCws93470 |
| CVE-2026-20133 | 7.5 (High) | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N | Info Disclosure (sensitive files) | CSCws33583 |
| CVE-2026-20122 | 7.1 (High) | AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L | Arbitrary File Overwrite (vmanage privs) | CSCws33584, CSCws33586 |
| CVE-2026-20128 | 5.5 (Medium) | AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N | Info Disclosure (DCA creds) | CSCws33585 |
Affected and Fixed Releases
All Cisco Catalyst SD-WAN Manager versions before the fixes are vulnerable; confirmed non-affected: only listed products; 20.18+ is safe from select CVEs.
Cisco urges immediate upgrades to fixed releases, emphasizing that no workarounds exist. Isolate SD-WAN Manager from the internet via firewalls, allowing only trusted IPs on management ports (e.g., VPN 512); turn off HTTP/FTP/unused services; enforce SSL/TLS with CA certs; rotate default admin creds; use role-based access; forward logs to external SIEM; monitor for anomalous API/CLI traffic.
For upgrades, refer to the Cisco Catalyst SD-WAN Upgrade Matrix. Enterprises should scan for exposures to SD-WAN assets using tools like runZero. CISA’s KEV for related flaws underscores federal mandates, signaling broad interest among threat actors in SD-WAN for persistence.
Site: cybersecuritypath.com
About the Author
